Keep Android Open
Posted2 months agoActive2 months ago
keepandroidopen.orgTechstoryHigh profile
heatednegative
Debate
85/100
AndroidOpen-SourceGooglePrivacyRegulation
Key topics
Android
Open-Source
Google
Privacy
Regulation
The potential restriction of sideloading Android apps sparks debate about digital freedom and the role of Google in controlling the Android ecosystem.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
1h
Peak period
128
0-12h
Avg / period
20
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Oct 29, 2025 at 12:03 AM EDT
2 months ago
Step 01 - 02First comment
Oct 29, 2025 at 1:25 AM EDT
1h after posting
Step 02 - 03Peak activity
128 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 2, 2025 at 9:04 PM EST
2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45742488Type: storyLast synced: 11/27/2025, 3:36:09 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Google wants my apartment lease to let me distribute free games, so I just won't support their platform.
This is not about security, it's about control.
Of course we know, but they always spin it as being about security.
Edit: and to be clear, I’m against this change by google. I think there is value in protecting grandma from sideloaded apps (if that even happens in the real world) but this isn’t about protection of consumers, it’s about centralised control of what you can and can’t do, in preparation for handing over the reigns to an authoritarian government. ‘Security’ either to protect you from scams, protecting YouTube from third party apps, or preventing nation state hacking or similar will inevitably be the driving narrative.
It's not a lie if it is to secure their cashflow.
Which you think would be the first thing you'd put on there since Bluetooth pairing is extremely difficult to get right when you're using custom operating systems.
someone suggested (I can't lost the link) flipping the script with a GLiNet Mudi hotspot with SMS forwarding (to e-mail); I really like this idea. It would be suuuper neat to play around with the tethered model: make SIP calls with a hacked Switch with Android installed / dedicated ruggedized VoIP phone for emergencies, or justify making and carrying a cyberdeck.
Personally, I'm hoping to revive my 3DS because I fell in love with the darn thing again (and its near infinite battery life). I heard you can make calls on the original DS with SvSIP, so suuurely that can work on the 3DS too. As a fellow gamer and android dev I'm sure you'd appreciate the idea.
I don't want a phone owned and controlled and spied on by governments and mega corporations. I want a Gibson-Neuromancer style obelisk disk blob thing that does Internet, Telephony, and Computer stuff and uses whatever I tether it to as the human interface.
My Linux phone is a PinePhone pro, which I believe is no longer being sold. It's not great. Phosh could generously be described as "in progress" last time I used it. UIs for many applications aren't built for small touchscreens like that.
I'd have to review the hardware market again if I were going to make a fresh recommendation. Librem looks cool conceptually, but they're a bit pricey, and their framing of a "Made in USA" variant as a premium feature rather than a red flag, a reputation risk, and a supply chain risk make me skeptical of whether Librem is a trustworthy entity at all, or might just be controlled opposition. That could just be me erring on the side of paranoia, though.
China will never let that happen.
I mean, the actual implementation will be that CCP signs Google DragonFly Global Root CA cert, and Apple runs Google signed firmware, but those are just minor implementation details.
Volkswagen Your Face
Vincent Wants Yummy Fries
Viewing Worked Yesterday, Frank
Voyeur Whom You Fuck
Veiled Widows You Fancy
Vore Website? Yes, Free!
Verify With Your Face
-Your Friend
Australian users of alternative app stores should make a complaint to the ACCC: https://www.accc.gov.au/about-us/contact-us-or-report-an-iss...
In the past, they forced Steam to implement proper refund policies, and they are currently suing Microsoft about the way subscribers were duped into paying more for "AI features" they didn't want.
Tell them to lodge a designated complaint to the Australian Competition & Consumer Commission (ACCC).
ACCC complaints are designed for individual grievances while a designated complaint from a designated complainer is supposed to address "significant or systemic market issues that affect consumers in Australia".
But long-term, Android is such a massive code base, and was designed more for surveillance and consumption, than for privacy&security and the user's interests.
I think getting mainline Linux on viable and sustainable on multiple hardware devices is warmer, fuzzier foundation. (Sort of a cross between Purism's work on the Librem 5, and PostmarketOS's work on trying to get mainline Linux viable on something else.)
Well, show me that magic OS that works on "just about any computer", because I am sure Windows ain't that. OSX only works on their select devices, and Windows have its own way of sucking. Let's be honest, there are shitty hardware out there and nothing will work decently on top. People just try to save these by putting Linux on top and then the software gets the blame.
And the latest gen finger print scanner only works between 10-50% of the time depending on the day, humidity, etc., no matter hof often you re-enroll a fingerprint, enroll a fingerprint multiple times, etc.
And the battery drains in 3-4 hours. Unless you let powertop enable all USB/Bluetooth autosuspend, etc. But then you have to write your own udev rules to disable autosuspend when connected to power, because otherwise there is a large wakeup latency when you use your Bluetooth trackball again after not touching it for one or two seconds.
And if you use GNOME (yes, I know use KDE or whatever), you have to use extensions to get system tray icons back. But since the last few releases some icons randomly don't work (e.g. Dropbox) when you click on it.
And there are connectivity issues with Bluetooth headphones all the time plus no effortless switching between devices. (Any larger video/audio meeting, you can always find the Linux user, because they will need five minutes to get working audio.)
As long as desktop/laptop Linux is still death by a thousand paper cuts, Linux on the desktop is not going to happen.
I really wish it was seamless and good, but it just isn't (and frankly it's a bit embarrassing it isn't given desktop environments for GNU Linux have been in development for 20+ years).
For example the laptop I had from my previous employer (a pretty beefy Dell) was failing to go to sleep, I had to unplug the charger and the HDMI cable on my desk each night, otherwise every second night it was keeping my monitor lit on the lock screen; when low on battery it clocked the CPU down so much that the whole system froze to a grinding stop not even the mouse pointer was moving, and even after putting it back on the charger it remained similarly unusable for a good 10 mins..
Like I have been using Linux since the Xorg config days when you could easily get a black screen if you misconfigured something, but at least those issues are deterministic and once you get to a working state, it usually stays there. Also, Linux has made very good progress in the last decade and it has hands down the best hardware support nowadays (makes sense given that the vast vast majority of servers run Linux, so hardware companies employ a bunch of kernel devs to make their hardware decently supported).
I moved to Mint almost 4 years ago at this point, running it on a now fairly old Dell G5 from 2019. Runs as smoothly as ever.
I had one problem during this 4 year run (botched update and OS wouldn't start). Logging to terminal and getting Timeshift to go back to before the update did the trick. Quick and painless. I could even run all the updates (just had to be careful to apply one of those after a reboot).
I have no idea what you are talking about. Maybe I am just very lucky with Linux.
I think desktop Linux will not improve until people start acknowledging the issues and work on it. It's the same as the claim that Linux is very secure (which Linux fans will often repeat), while it has virtually no layered security, and a fairly large part of the community is actively hostile towards such improvements (e.g. fully verified boot).
I have both Linux machines and Macs and Linux has always been objectively worse when it comes to driver and software issues. It's just has a large number of paper cuts.
I use both Linux machines and Macs (at work) and Macs has always been objectively worse when it comes to usability ajd development. It's just has a large number of paper cuts.
This doesn't happen on my ThinkPad but does on my MacBook. If anyone else faces these kernel panics on their Mac, you have to set your monitor to a hard 120hz rather than a variable rate on the macOS display settings. KDE handles the variable rate just fine on the ThinkPad for me.
I switched from Windows to Linux it's been 2 years. One of the few things I missed on Windows, was the native WhatsApp app, as the Web WhatsApp it's horrible. Then a few months Meta killed the native app and made into a webview-app :)
e.g. HellDivers 2 didn't work well until recently on Linux. If you are playing certain factions it is a very fast paced game and I would frequently experience slow downs on Linux.
So if I wanted to play HellDivers 2, I would have to reboot into Windows. Since running kernel 6.16 and updates to proton it now runs better.
IME a lot developers don't even use Linux on their desktop machine. I've met three developers that use Linux professional IRL. A lot of devs have a hard time even using git bash on Windows.
I am always called up by people at work because I am "the Linux guy" when they have a problem with Linux or Bash.
Sure, there are a lot of people that use Linux indirectly e.g. deploy to a Linux box, use Docker or a VM. But if someone isn't running Windows, 9 times out of 10 they are running a Mac.
More generally the thing that has paid the bills for me is always these huge proprietary tech stacks I've had to deal with. Whether it be Microsoft's old ASP.NET tech stack with SQL Server, AWS, Azure, GCP, what pays the bills is proprietary shite. I hate working with this stuff, but that what you gotta to pay the bills.
In corpo-world. Everyone is using Windows. If they are using Linux it would be through a VM or WSL. I guarantee none of those people are using Linux at home.
So for every developer you know that is using Linux, there are many more people using Windows supplied to by their IT department.
And I guarantee that you're wrong, because I work a corporate job where I have to put up with Windows and am 99% Linux at home. (The other 1% is *BSD and illumos.)
The vast majority of developers I have worked with (and I've contracted a lot of places) know next to next to nothing about Linux. They can barely use a terminal (Powershell, CMD, Bash/Zsh) and often can't do anything outside of the IDE.
If they do use Linux. It be on a Raspberry PI that gets stuck in a drawer after a few months.
To those that keep voting me down on this. The teams and environments you work in are the outliers. I've had to accept that I am in the minority as a Linux user even amongst software professionals.
I think what it fundamentally comes down to is that for consumer-oriented Linux to see widespread adoption, it needs to succeed on its own merits. Right now, and since forever, Linux exists in a space for the majority of consumers who consider it where they think "I might use it, because at least it's not the other guy". A real contender would instead make the general public think "I'll use this because it's genuinely great and a pleasure to experience in its own right". And that's why I have absolutely zero faith in Linux becoming a viable smartphone ecosystem. If it were truly viable, it would have been built out already regardless of what Android was doing. "Sheltering Android refugees" is not a sustainable path to growth any more than "sheltering Windows refugees" is.
I have zero faith in a Linux smartphone. What will happen is that there will be some GNU/FSF thing with specs that are 15 years out date and you will have to install Linux via a serial console using Trisquel and the only applications available will the Mahjong (yes I am being hypobolic).
I realised a few years ago when one of my friends didn't know what the browser was on her phone, that any notion of people caring about the OS outside of branding is pretty much non-existent.
We'll finally get our ecosystem diversity back when the next geopolitical happening happens and Google bans Chinese android apps on bullshit pretexts.
Wait a few years more.
The Chinese will eventually find it easier to sell their Chinese ecosystem devices to the world instead of catering to Google and American three-letter agencies.
Sure some apps won't work for whatever reason & HN commenters will have incredibly scathing things to say about that, but I bet there's a lot of folks who'd be cool with missing an app here or there.
It sucks to be losing Android, but IMO it's an ecosystem in free-fall. Bootloaders are locked more and more, there's literally zero AOSP hardware buyable now, and the roms scene has diminished not grown over time.
I totally think theres a Steam Deck moment waiting around a corner, where what seemed impossible a year ago shows up and is dead obvious & direct, and we all wonder why there were so many doubts before.
IMO, I think Microsoft gave up on running Android apps on Windows because they read the writing on the wall: Google will use Play Integrity/Protect to ensure Android apps only run on Google-approved devices/operating systems and nothing else.
I think this is the ultimate fate for Waydroid, as well.
Many developers would need some help to get offline functionality and updates right though.. And it would be really nice if these apps didn't require parsing megabytes of JavaScript libraries on startup.
One can dream! :-)
https://webostv.developer.lge.com/discover
Making a guess: nope. Same underpowered SoC, in order to save $5.
Differention, that is what all OEMs care about, netbooks already showed us that.
another tailwind might be in the gaming scene. I have the general sense that SteamOS has been an interesting gateway for technically-minded folks to be impressed by this Linux thing. A similar model for mobile phones might be a tailwind (like a SteamOS for ARM?) The reason why that's perfect is because it undermines the Google monopoly and creates an app ecosystem that people will absolutely flock to, at least for games ($$).
It felt at the time like there was positive progress, more bits getting mainlined at a trickle but at least steady trickle rate. But it feels dark now. At least the GPU drivers everywhere have been getting much better, but I get the impression Qualcomm couldn't even ship a desktop/laptop after years of delay, is barely getting that in order now. It feels impossible to hope for the mobile chips anywhere to find religion & get even basic drivers mainlined.
Even if that was true, AOSP is better for privacy and security than any other Linux distro.
https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...
That's like saying using a hole in a wall is a different approach to security than putting a lockable door in a wall. Sure no security is s different approach to security, but it's not an effective one.
>There are no malicious apps in GNU/Linux repositories
Maybe not intentionally malicous, but there have been bugs that can cause applications to act maliciously such as deleting users files. If an application gets exploited it could also do malicous things. Just because you trust the author of a program, that doesn't mean that sanboxing is pointless. Additionally programs like the terminal are a free for the user to run things like curl | sh which can run malware infecting the system and run wild since there is no security to stop it from doing almost anything.
>Purism
The wiki page pretty much says that they don't have privacy or security and don't have the resources to implement such features unlike Google or Apple. They also make some claims to try and pretend their platform is secure and private in order to help sell the Librem 5, a product they made with inferior privacy and security compared to Android.
[0] https://news.ycombinator.com/item?id=45017028
[1] https://news.ycombinator.com/item?id=45208925
That is a feature of Play Services and not a part of AOSP which is what we are talking about.
>Or Google delaying security patches
Like it or not coordinated vulnerability disclosure is a thing in the industry and is done by other Linux distros too.
That's definitely not the case. There have been repeated cases of developers shipping malicious code which ended up in distribution package repositories. Defining malicious is difficult and incredibly privacy invasive behavior is often not considered to be malicious. That software is also generally being used without a mandatory app sandbox with a proper permission model, so it can access whatever it wants for the most part beyond self-imposed restrictions.
There are similarly maintained package repositories for Android such as F-Droid. It adds the people doing packaging as trusted parties. Contrary to common misconceptions, Linux distributions and F-Droid are not meaningfully auditing/reviewing the upstream code and therefore not actually significantly reducing trust in the upstream projects. There substantial delays for updates with how most are maintained, so that gives time for external parties to find issues but doesn't mean it won't be packaged and shipped anyway.
This is not true for Debian, which is the upstream of PureOS.
> therefore not actually significantly reducing trust in the upstream projects
And yet, it has practically negligible number of malicious apps, especially compared with Google Play. It's far from perfect, and you are right that the sandboxing should be further improved. Nevertheless, it is a security model working in practice for a large userbase of Debian. It works especially well for technical users.
Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
> And yet, it has practically negligible number of malicious apps, especially compared with Google Play.
Google Play is not the only app repository for Android-based operating systems. There are repositories in the style of traditional Linux distributions and also better approaches available.
> Nevertheless, it is a security model working in practice for a large userbase of Debian.
No, it has very poor privacy and security.
> It works especially well for technical users.
Being technical doesn't address the massive privacy and security issues. It only makes it less likely people install blatant malware instead of it being a problem through supply chain attacks and very poor security throughout the OS.
You can't attack Debian like this without providing a few examples.
> No, it has very poor privacy and security.
This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?
It's not specific to Debian. They're packaging a massive ecosystem of software nearly entirely not developed or significantly changed by Debian and are assembling an operating system out of it. Many of the projects they package have quite poor attitudes when it comes to privacy and security, including core components of the base OS. It's mainly criticism of projects including glibc, systemd, GCC and GNOME which is worse when using an OS lagging so far behind backporting a subset of the vulnerability fixes and doing the opposite of attack surface reduction / hardening with how they integrate most of it.
> This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?
Yes, it has atrocious privacy and security including being far behind operating systems like macOS in deploying app sandboxing, a modern permission model, isolation throughout the OS, modern exploit protections and memory safe languages. Debian is focused on packaging and integrating software, not developing it. There's nearly zero work on overall privacy and security work. Backporting patches for issues assigned CVEs is not systemic work on improving privacy and security. Debian is not making the major ongoing advances in privacy and security which have happened on mobile and are happening at a slower and more limited pace for macOS. QubesOS largely exists to work around the extreme insecurity of traditional desktop operating systems. It also exists to work around the insecure architecture of the Linux kernel which is increasingly behind macOS and especially iOS doing increasingly sophisticated kernel hardening with substantial work done across the kernel along with moving more code into userspace. If anything, Linux is moving more code into kernel space where it has no isolation, particularly on traditional distributions simply enabling all the new features/functionality rather than doing more and more attack surface reduction and hardening like Android/ChromeOS (which are still falling further behind iOS in this area).
https://source.android.com/docs/core/ota/apex
GrapheneOS has apex modules disabled and never had the need for that.
So is it stuck in Java 12?
Google began shipping Google builds of the APEX modules via the Play Store to work around non-Pixel devices not shipping the latest monthly, quarterly and yearly OS releases. For Google Mobile Services devices, many of the APEX modules are required to be the official Google builds from the Play Store. The changes to APEX modules are released as part of the quarterly and yearly AOSP releases.
You just have to somehow speedrun the decades of development that went into Android to make it decently run on mobile hardware.. never really understood this "throwing out the baby" direction - the UNIX userspace model simply doesn't work on mobile (I would wager it also doesn't work on desktop anymore), has no security (everything runs as your user which made sense when you ran some batch job on a terminal with multiple other users, but nowadays when a single user has as many processes as all the user had back then it effectively means no security between any of those programs), there is no real resource control, no lifecycles, so the device will burn scorching hot and have terrible battery life.
On Android (and iOS) apps were always living in a world with lifecycles so if they wanted to operate correctly, they had to become decent citizens (save state when asked, so they can be stopped and resumed at any moment). This also fits nicely with sandboxes and user permissions, etc.
So without developing an alternative user-space for "GNU-Linux", it's simply not competing with android in any form or shape.
And even if you do, now every GNU app has to somehow be ported to that userspace API (you can't just kill GIMP or whatever Linux process)
Isn't this mainly due to proprietary drivers and firmware?
Android devs actually backported a bunch of work to the mainline kernel with regards to low-level energy management, but that's only one half of the story. The other is your phone stopping unused apps gracefully, and being able to go back to sleep regularly.
I disagree. The Android security model is better than the Linux one. I am very happy with GrapheneOS, I don't have much to complain about.
The problem is that Google sucks and nobody enforces antitrust laws. But it's not just Google: how many Android manufacturers don't suck, really? Do they contribute to AOSP at all? Probably not. Do they build reasonable devices that could run something like GrapheneOS? Nope. Just relocking the bootloader is often a problem.
In some ways it probably is, but it still isn't that good in my opinion (although some of the problems have to do with the way the settings and controls are working rather than the security model itself, there are also problems with the security model itself too). (I think there are other problems with Android (and other operating systems) too.)
I was talking about the security model.
I disagree. I have been using de-googled / de-spywared Android for a decade now and I really love it. Once you remove google mobile services and rely on open source applications Android feels really good.
Also its questionable if projects such as purism or even the pinephone will ever offer such good security and privacy as a de-googled Pixel with GrapheneOS will.
https://grapheneos.social/@GrapheneOS/112712864209034804
This is a step in the right direction to keep people safe in my opinion. Most people around the world don’t understand the risks.
The topic here is Google nuking F-Droid from orbit, probably because it has NewPipe.
You are restricting a fundamental digital right in exchange for a minuscule reduction in risk.
Before they are allowed to make any comment on scams, they should clean up their own store first.
99% of all car accidents with real world consequences are caused by licensed human drivers, ergo, all licensed human drivers should be removed from roads.
Same argument. It's true, and simultaneously, it skips right past all of the ramifications of the proposal, even when the ramifications conceivably result in more harm than the original problem did.
https://en.wikipedia.org/wiki/G._K._Chesterton#Chesterton's_...
If you're in the US, UK or EU, please contact your government.
The solution, I think, would be a regulation that forbids manufacturers of any chip or device CPU from making obstacles to reprogramming the device (using fuses, digital signatures, encryption etc). So if you buy a device with CPU and writable memory, you should be able to load your own program and manufacturer may not use technical measures to stop you. The goal of regulation would be preventing of creating digital waste, vendor locks and allow reusing the hardware.
Of course, features like theft prevention won't work, so the user should be able to waive this right.
You will lose DRM-based apps (e.g. Netflix), Payment apps, and bank apps though.
Fortunately, they backed off and decided to abandon the proposal after massive backlash. But we don't know when we will see a 2.0 version of that.
Yes some banks still allow classic clunky 2FA(sms, card readers, sometimes SIM generators) but it'll all eventually go away in favor of "locked and favored" os unless legislation fights against it.
Other manufacturers do the same, where you have to wait a period of like 45 days before being able to unlock, and then have to ask permission on their website to unlock your bootloader.
iiuc the OG Verizon Pixel has an unlockable bootloader, but the operating system doesn't let you unlock it, meaning root access should allow unlocking the bootloader.
some devices have a legitimately locked bootloader, which means you're SOL.
wandering the web to find an exploit is way beyond my spare time.
https://contact-the-cma.service.gov.uk/wizard/classify
It's very simple to submit a complaint.
729 more comments available on Hacker News